Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication



Similar documents
Integrating with IBM Tivoli TSOM

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

Application Note. Setting up RADIUS authentication on Opengear devices using Windows 2003 Internet Authentication Service

Managing User Accounts

Instructions for Microsoft Outlook 2003

Authenticating users of Cisco NCS or Cisco Prime Infrastructure against Microsoft NPS (RADIUS)

Managing User Accounts

Managing User Accounts

IIS, FTP Server and Windows

TechNote. Contents. Introduction. System Requirements. SRA Two-factor Authentication with Quest Defender. Secure Remote Access.

Creating and Issuing the Workstation Authentication Certificate Template on the Certification Authority

Integrate Cisco IronPort Web Security Appliance (WSA)

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

How To Create An Easybelle History Database On A Microsoft Powerbook (Windows)

Configuring WPA-Enterprise/WPA2 with Microsoft RADIUS Authentication

Easy Setup Guide for the Sony Network Camera

ESET SECURE AUTHENTICATION. Cisco ASA SSL VPN Integration Guide

Setup Guide. network support pc repairs web design graphic design Internet services spam filtering hosting sales programming

GE Intelligent Platforms. Activating Licenses Online Using a Local License Server

uh6 efolder BDR Guide for Veeam Page 1 of 36

VoIP Intercom and Cisco Call Manager Server Setup Guide

This is a training module for Maximo Asset Management V7.1. In this module, you learn to use the E-Signature user authentication feature.

Using Device Discovery

Microsoft Exchange Mailbox Software Setup Guide

Configuring User Identification via Active Directory

DESLock+ Basic Setup Guide Version 1.20, rev: June 9th 2014

System Administration and Log Management

To configure Outlook Express for your InfoMetrics address:

NETWORK SETUP INSTRUCTIONS

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Windows Live Mail Setup Guide

Windows XP Exchange Client Installation Instructions

How do I set up a branch office VPN tunnel with the Management Server?

CIMHT_006 How to Configure the Database Logger Proficy HMI/SCADA CIMPLICITY

Management Authentication using Windows IAS as a Radius Server

Active Directory integration with CloudByte ElastiStor

If you re not using VMware vsphere Client 5.1, your screens may vary.

ESET SECURE AUTHENTICATION. Cisco ASA Internet Protocol Security (IPSec) VPN Integration Guide

Setting up Sharp MX-Color Imagers for Inbound Fax Routing to or Network Folder

Scan to Quick Setup Guide

ActivIdentity 4TRESS AAA Web Tokens and SSL VPN Fortinet Secure Access. Integration Handbook

Using the Content Distribution Manager GUI

Set Up Setup with Microsoft Outlook 2007 using POP3

Using Windows Active Directory for Account Authentication to PS Series Groups

How to Setup PPTP VPN Between a Windows PPTP Client and the DIR-130.

3CX Guide sip.orbtalk.co.uk

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Install and Configure Oracle Outlook Connector

OUTDOOR IR NETWORK CAMERA Series

RETRIEVING NMR DATA JB Stothers NMR Facility Materials Science Addition 0216 Department of Chemistry Western University

Browser Client 2.0 Admin Guide

How to Program a Commander or Scout to Connect to Pilot Software

Setting up Your Acusis Address. Microsoft Outlook

1. Introduction What is Axis Camera Station? What is Viewer for Axis Camera Station? AXIS Camera Station Service Control 5

How To Configure L2TP VPN Connection for MAC OS X client

HRG Performance Series DVR DDNS Support Application Note (hrgddns)

Avigilon Control Center System Integration Guide

1. Open Thunderbird. If the Import Wizard window opens, select Don t import anything and click Next and go to step 3.

How to configure MAC authentication on a ProCurve switch

MAC OS X 10.5 Mail Setup

How do I load balance FTP on NetScaler?

Immotec Systems, Inc. SQL Server 2005 Installation Document

DC Agent Troubleshooting

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

Avaya IP Office SIP Configuration Guide

RingCentral Office. Configure Grandstream phones with RingCentral. To contact RingCentral, please visit or call

Quick Start Guide. WRV210 Wireless-G VPN Router with RangeBooster. Cisco Small Business

To install the SMTP service:

Cisco Unified Communications Manager SIP Trunk Configuration Guide

Configuring Color Access on the WorkCentre 7120 Using Microsoft Active Directory Customer Tip

Cisco Unified Communications Manager 7.1 SIP Configuration Guide

VELOCITY. Quick Start Guide. Citrix XenServer Hypervisor. Server Mode (Single-Interface Deployment) Before You Begin SUMMARY OF TASKS

Setting Up Sharp MX-Color Imagers To Scan To

Online Statements. About this guide. Important information

CONSOLEWORKS WINDOWS EVENT FORWARDER START-UP GUIDE

Microsoft IAS Configuration for RADIUS Authorization

Cloud Services ADM. Agent Deployment Guide

Cisco QuickVPN Installation Tips for Windows Operating Systems

Scenario: IPsec Remote-Access VPN Configuration

Exchange Outlook Profile/POP/IMAP/SMTP Setup Guide

LogLogic Cisco IPS Log Configuration Guide

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

SiteCount v2.0 Revised: 10/30/2009

NETWORK SET UP GUIDE FOR RVH1004/US411 RVH1008/US811 RVH1016/US st G/2 nd G/3 rd G UGI H.264 DVR. SUPPORTING ROUTER DLINK LINKSYS NETGEAR Belkin

client configuration guide. Business

Locking Users into a VPN 3000 Concentrator Group Using a RADIUS Server

Rx Medical. SMD Utility. Task Scheduler Configuration

Hallpass Instructions for Connecting to Mac with a Mac

MultiSite Manager. Setup Guide

BroadSoft BroadWorks ver. 17 SIP Configuration Guide

Management, Logging and Troubleshooting

SITRANS RD500 Configuring the RD500 with PSTN or GSM modems and Windows-based servers and clients for communication Objective:

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

EventTracker: Integrating Imperva SecureSphere

How To Connect To A University Of Cyprus Vpn 3000 From Your Computer To A Computer With A Password Protected Connection

Install MS SQL Server 2012 Express Edition

Configure your firewall for administrative access via RADIUS authentication

Discovery Guide. Secret Server. Table of Contents

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Transcription:

Configuring Cisco Secure ACS v5.5 to use RADIUS for Orchestrator Authentication This document outlines the procedure for configuring Cisco Secure Access Control System to provide RADIUS services for Orchestrator authentication. This procedure for configuring RADIUS references the ACS server s internal user datastore. All names and descriptions created by the user are denoted in cyan. Advanced users who are familiar with the ACS RADIUS configuration tasks and only need to know the Orchestrator attributes for admin and monitor can refer to the following table: Dictionary Type Attribute Type Value admin Radius Cisco cisco-av-pair string LOGIN:priv-lvl=7 Radius IETF service Type Enumeration NAS prompt monitor Radius Cisco cisco-av-pair string LOGIN:priv-lvl=0 Radius IETF service Type Enumeration NAS prompt SUMMARY OF TASKS 1 Add Orchestrator information to Cisco s Secure Access Control System 2 Create Identity Groups for Orchestrator s admin and monitor users 3 Create ACS internal users for the Orchestrator 4 Define attributes for admin and monitor users for Orchestrator 5 Create access services that define policy structure and allowed protocols for admin and monitor 6 Create access rules for the services 7 Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate action 8 Configure the Orchestrator for RADIUS authentication with Cisco Secure ACS Rev A - March 2016

1 Add Orchestrator information to Cisco s Secure Access Control System a After logging into the Cisco Secure ACS, navigate to Network Resources > Network Devices and AAA Clients. b Click Create. Complete the following fields: Name: Orchestrator Description: adding Orchestrator to ACS IP: [Orchestrator IP address] RADIUS: [select] Shared Secret: [Orchestrator s shared secret] c Click Submit. The result displays in the Network Devices table. Rev A - March 2016 2

2 Create Identity Groups for Orchestrator s admin and monitor users a Navigate to Users and Identity Stores > Identity Groups, and at the bottom of the page, click Create. To create the group for admin, complete the following fields: Name: orchestrator-admin-group Description: Orchestrator administrator group b Click Submit. The new group displays under All Groups. c Click Create. Rev A - March 2016 3

d Again, navigate to Users and Identity Stores > Identity Groups, and at the bottom of the page, click Create. To create the group for monitor, complete the following fields: Name: orchestrator-monitor-group Description: Orchestrator monitor group e Click Submit. The new group displays under All Groups. Rev A - March 2016 4

3 Create ACS internal users for the Orchestrator a b Navigate to Users and Identity Stores > Internal Identity Stores > Users, and at the bottom of the page, click Create. To create an admin-level user for Orchestrator, complete the following fields: Name: Description: Identity Group: Password Type: Password / Confirm Password: orchadmin Orchestrator administrator [select] All Groups: orchestrator-admin-group Internal Users [create one] Rev A - March 2016 5

c Click Submit. The new user name appears in the Internal Users list. d Click Create. To create a monitor-level user for Orchestrator, complete the following fields: Name: Description: Identity Group: Password Type: Password / Confirm Password: orchmonitor Orchestrator monitor [select] All Groups: orchestrator-monitor-group Internal Users [create one] Rev A - March 2016 6

e Click Submit. The new user name appears in the Internal Users list. Rev A - March 2016 7

4 Define attributes for admin and monitor users for Orchestrator a b To create an admin profile, navigate to Policy Elements > Authorizations and Permissions > Network Access > Authorization Profiles, and at the bottom of the page, click Create. In the General tab, complete the following: Name: Description: RADIUS admin profile authorization profile for admin Rev A - March 2016 8

c Click the RADIUS Attributes tab and complete the following: Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-Cisco cisco-av-pair String Static [enter this] LOGIN:priv-lvl=7 d Click Add^. The entry appears in the Manually Entered table. Now, we ll add a second attribute. Rev A - March 2016 9

e In the RADIUS Attributes tab, complete the following: Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-IETF Service-Type Enumeration Static NAS Prompt f Click Add^. The entry appears in the Manually Entered table. Rev A - March 2016 10

g Click Submit. The RADIUS admin profile appears in the Authorization Profiles list. Now, we ll create the monitor profile. h Click Create. In the General tab, complete the following: Name: Description: RADIUS monitor profile authorization profile for monitor Rev A - March 2016 11

i Click the RADIUS Attributes tab and complete the following: Notice that for the monitor, the level equals zero. Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-Cisco cisco-av-pair String Static [enter this] LOGIN:priv-lvl=0 Rev A - March 2016 12

j Click Add^. The entry appears in the Manually Entered table. Now, we ll add the second attribute. k In the RADIUS Attributes tab, complete the following: Dictionary Type: RADIUS Attribute: Attribute Type: Attribute Value: RADIUS-IETF Service-Type Enumeration Static NAS Prompt Rev A - March 2016 13

l Click Add^. The entry appears in the Manually Entered table. m Click Submit. The RADIUS monitor profile appears in the Authorization Profiles list. Rev A - March 2016 14

5 Create access services that define policy structure and allowed protocols for admin and monitor a Navigate to Access Policies > Access Services, and click Create. When Step 1 - General appears, complete the following: Name: Description: User Selected Service Type: Policy Structure: Orch-admin services Orchestrator admin services for administrator Network Access Identity Authorization b Click Next. When Step 2 - Allowed Protocols appears, select the following: Process Host Lookup: Authentication Protocols: [deselect] Allow PAP/ASCII Allow CHAP Rev A - March 2016 15

c Click Finish. When asked if you d like to activate this service, click Yes. Notice that Orch-admin services is now listed under Access Policies in the navigation panel. Rev A - March 2016 16

6 Create access rules for the services These specify the conditions users must meet for access to Orchestrator. a Navigate to Access Policies > Access Services > Orch-admin services > Identity, and click Select. b Select Internal Users, and click Save Changes. Rev A - March 2016 17

c Navigate to Access Policies > Access Services > Orch-admin services > Authorization, and click Customize. The Customize Conditions window appears. d Select and move Compound Condition from the Selected column to the Customize Conditions column. Rev A - March 2016 18

e Select and move Identity Group to the Selected column. f Click OK. The result displays in the Conditions column. Rev A - March 2016 19

g Click Create. A dialog box appears. h Select the Identity Group checkbox, and click Select. The Network Device Groups list appears. i Select orchestrator-admin-group and click OK. The Rule-1 dialog returns. Rev A - March 2016 20

j Below the Authorization Profiles field, click Select. The Authorization Profiles dialog appears. k Select RADIUS admin profile and click OK. Rev A - March 2016 21

The input window returns. l Click OK. The Network Access Authorization Policy returns, with Rule-1 included. m n At the bottom of the page, click Save Changes. Now you ll add Rule-2 to include the RADIUS monitor profile. At the bottom of the page, click Create. The Rule-2 dialog box appears. Select the Identity Group checkbox, and click Select. The Network Device Groups list appears. Select orchestrator-monitor-group and click OK. The Rule-2 dialog returns. Below the Authorization Profiles field, click Select. The Authorization Profiles dialog appears. Rev A - March 2016 22

Select RADIUS monitor profile and click OK. The input window returns. Click OK. The Network Access Authorization Policy returns, with Rule-2 included. o Click Save Changes. Rev A - March 2016 23

7 Create a Service Selection Rule to parse traffic hitting the RADIUS server for appropriate action a Navigate to Access Policies > Access Services: Service Selection Rules, and click Create. A dialog appears for creating a new rule. Rev A - March 2016 24

b Complete the following: Select the Protocol checkbox, and select match and Radius. From the drop-down list in the Service field, select Orch-admin services. Click OK. The Service Selection Policy page appears, displaying the new rule at the bottom of the list. c Select the new rule, and click the caret to move the rule up to the appropriate priority. Use the caret to move the Service Selection Rule up to the appropriate priority. Rev A - March 2016 25

d Click Save Changes. You have now finished configuring Cisco Secure ACS to use RADIUS for authenticating Orchestrator users. Rev A - March 2016 26

8 Configure the Orchestrator for RADIUS authentication with Cisco Secure ACS a After logging into the Orchestrator as admin, navigate to Orchestrator Administration > Authentication. The Remote Authentication dialog box appears. b Select RADIUS, and complete the following: Authentication Order: Remote first Server IP: [Cisco Secure ACS IP address] Server Port: 1812 Server Secret Key: [Orchestrator s shared secret] c d Click Save. Log out of Orchestrator. Rev A - March 2016 27

e On the welcome page, log in as orchadmin, the identity you created in the RADIUS server. Orchestrator is now authenticating users via the RADIUS server. Rev A - March 2016 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information